<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0,viewport-fit=cover"><title>学海无涯苦作舟</title><meta name="author" content="小乾"><meta name="copyright" content="小乾"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta property="og:type" content="website">
<meta property="og:title" content="学海无涯苦作舟">
<meta property="og:url" content="https://xiaoqian2000.gitee.io/blogs/index.html">
<meta property="og:site_name" content="学海无涯苦作舟">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://xiaoqian2000.gitee.io/blogs/img/headpicture.png">
<meta property="article:author" content="小乾">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://xiaoqian2000.gitee.io/blogs/img/headpicture.png"><link rel="shortcut icon" href="/blogs/img/headpicture.png"><link rel="canonical" href="https://xiaoqian2000.gitee.io/blogs/index.html"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><link rel="stylesheet" href="/blogs/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox/fancybox.min.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = {
  root: '/blogs/',
  algolia: undefined,
  localSearch: undefined,
  translate: undefined,
  noticeOutdate: undefined,
  highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  relativeDate: {
    homepage: false,
    post: false
  },
  runtime: '',
  dateSuffix: {
    just: '刚刚',
    min: '分钟前',
    hour: '小时前',
    day: '天前',
    month: '个月前'
  },
  copyright: undefined,
  lightbox: 'fancybox',
  Snackbar: undefined,
  source: {
    justifiedGallery: {
      js: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.js',
      css: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.css'
    }
  },
  isPhotoFigcaption: false,
  islazyload: false,
  isAnchor: false,
  percent: {
    toc: true,
    rightside: false,
  },
  autoDarkmode: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
  title: '学海无涯苦作舟',
  isPost: false,
  isHome: true,
  isHighlightShrink: false,
  isToc: false,
  postUpdate: '2023-09-19 18:27:22'
}</script><noscript><style type="text/css">
  #nav {
    opacity: 1
  }
  .justified-gallery img {
    opacity: 1
  }

  #recent-posts time,
  #post-meta time {
    display: inline !important
  }
</style></noscript><script>(win=>{
    win.saveToLocal = {
      set: function setWithExpiry(key, value, ttl) {
        if (ttl === 0) return
        const now = new Date()
        const expiryDay = ttl * 86400000
        const item = {
          value: value,
          expiry: now.getTime() + expiryDay,
        }
        localStorage.setItem(key, JSON.stringify(item))
      },

      get: function getWithExpiry(key) {
        const itemStr = localStorage.getItem(key)

        if (!itemStr) {
          return undefined
        }
        const item = JSON.parse(itemStr)
        const now = new Date()

        if (now.getTime() > item.expiry) {
          localStorage.removeItem(key)
          return undefined
        }
        return item.value
      }
    }
  
    win.getScript = url => new Promise((resolve, reject) => {
      const script = document.createElement('script')
      script.src = url
      script.async = true
      script.onerror = reject
      script.onload = script.onreadystatechange = function() {
        const loadState = this.readyState
        if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
        script.onload = script.onreadystatechange = null
        resolve()
      }
      document.head.appendChild(script)
    })
  
    win.getCSS = (url,id = false) => new Promise((resolve, reject) => {
      const link = document.createElement('link')
      link.rel = 'stylesheet'
      link.href = url
      if (id) link.id = id
      link.onerror = reject
      link.onload = link.onreadystatechange = function() {
        const loadState = this.readyState
        if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
        link.onload = link.onreadystatechange = null
        resolve()
      }
      document.head.appendChild(link)
    })
  
      win.activateDarkMode = function () {
        document.documentElement.setAttribute('data-theme', 'dark')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
        }
      }
      win.activateLightMode = function () {
        document.documentElement.setAttribute('data-theme', 'light')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
        }
      }
      const t = saveToLocal.get('theme')
    
          if (t === 'dark') activateDarkMode()
          else if (t === 'light') activateLightMode()
        
      const asideStatus = saveToLocal.get('aside-status')
      if (asideStatus !== undefined) {
        if (asideStatus === 'hide') {
          document.documentElement.classList.add('hide-aside')
        } else {
          document.documentElement.classList.remove('hide-aside')
        }
      }
    
    const detectApple = () => {
      if(/iPad|iPhone|iPod|Macintosh/.test(navigator.userAgent)){
        document.documentElement.classList.add('apple')
      }
    }
    detectApple()
    })(window)</script><meta name="generator" content="Hexo 6.3.0"></head><body><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="avatar-img is-center"><img src="/blogs/img/headpicture.png" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="sidebar-site-data site-data is-center"><a href="/blogs/archives/"><div class="headline">文章</div><div class="length-num">27</div></a><a href="/blogs/tags/"><div class="headline">标签</div><div class="length-num">0</div></a><a href="/blogs/categories/"><div class="headline">分类</div><div class="length-num">3</div></a></div><hr class="custom-hr"/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/blogs/tags/"><i class="fa-fw fas fa-tags"></i><span> Tags</span></a></div><div class="menus_item"><a class="site-page" href="/blogs/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div></div></div></div><div class="page" id="body-wrap"><header class="full_page" id="page-header" style="background-image: url('/blogs/img/wallhaven-9moko8_2560x1600.png')"><nav id="nav"><span id="blog-info"><a href="/blogs/" title="学海无涯苦作舟"><span class="site-name">学海无涯苦作舟</span></a></span><div id="menus"><div class="menus_items"><div class="menus_item"><a class="site-page" href="/blogs/tags/"><i class="fa-fw fas fa-tags"></i><span> Tags</span></a></div><div class="menus_item"><a class="site-page" href="/blogs/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div></div><div id="toggle-menu"><a class="site-page" href="javascript:void(0);"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="site-info"><h1 id="site-title">学海无涯苦作舟</h1></div><div id="scroll-down"><i class="fas fa-angle-down scroll-down-effects"></i></div></header><main class="layout" id="content-inner"><div class="recent-posts" id="recent-posts"><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/20/Window10%20SwapContext%E5%88%86%E6%9E%90/" title="Win10 X64 1904 线程交换SwapContext分析">Win10 X64 1904 线程交换SwapContext分析</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-20T13:21:52.000Z" title="发表于 2023-08-20 21:21:52">2023-08-20</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/windows%E5%86%85%E6%A0%B8%E7%9F%A5%E8%AF%86/">windows内核知识</a></span></div><div class="content">1.SwapContext 有几个参数，分别是什么？
2个参数   第一个参数:WaitIrql 第二个是要切换的线程_KTHREAD

SwapContext 在哪里实现了线程切换


线程切换的时候，会切换CR3吗？切换CR3的条件是什么?会切换

中断门提权时，CPU会从TSS得到ESP0和SS0，TSS中存储的一定是当前线程的ESP0和SS0吗？如何做到的？
是的,




FS:[0]在3环指向TEB，但是线程有很多，FS:[0]指向的是哪个线程的TEB，如何做到的？
修改了3环的gs,

0环的 ExceptionList 在哪里备份的？
没有找到

IdleThread是什么？什么时候执行？找到这个函数.

如何找到下一个就绪线程？

模拟线程切换与Windows线程切换有哪些区别？
模拟切换不是真正的切换


SwapContext流程浅析:先比较目标线程是不是处于运行状态,不是就就置为1(运行)否在跳走处理

清除中断 读取时间戳  修改_KPRCB中的时间戳  判断是否有要处理的中断没有就跳走   有的话调用HalRequestSoftwareInterrupt 处 ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/20/win10%20%E7%B3%BB%E7%BB%9F%E8%B0%83%E7%94%A8/" title="Win10 X64 1904 系统调用">Win10 X64 1904 系统调用</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-20T13:21:52.000Z" title="发表于 2023-08-20 21:21:52">2023-08-20</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/windows%E5%86%85%E6%A0%B8%E7%9F%A5%E8%AF%86/">windows内核知识</a></span></div><div class="content">系统调用系统调用分为两种,一种是新款cpu提供的指令(systemcall )称之为快速调用 ,另一种是通过int2e中断提权调用(目前使用很少为了兼容老cpu).
INT2E 调用int2e走ntoskrnl.exe 中的KxUnexpectedInterrupt0函数

但是我逆了发现 如果你的cpu符合快速调用环境,你的int2E就不会执行,我尝试了用windbg下了断点但是断不下来我强行再内部下断经常会被编号为(d1)的时钟中断断下,但是跟进去发现了有个地方判断在KPRCB+3140h地方有个大小为256个指针函数(中断表)[mov     rsi, [rsi+rax*8+3140h]],rax就是中断索引号 rsi是_KPRCB,(d1)是有值的而(2e)是0.

后面有一大段流程就没有继续逆了.
快速调用32位系统走的是sysenter&#x2F;sysexit指令

sysenter1234567891011IF in IA-32e modeTHENRSP ← IA32_SYSENTER_ESP;RIP ← IA32_SYSENTER_EIP;ELSEESP ← IA32 ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/20/C++%E7%B1%BB%E7%9A%84%E5%86%85%E5%AD%98%E5%88%86%E5%B8%83/" title="C++类的内存分布">C++类的内存分布</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-20T11:51:52.000Z" title="发表于 2023-08-20 19:51:52">2023-08-20</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/Effective-Modern-C/">Effective Modern C++</a></span></div><div class="content">C++类的内存分布1.非静态成员变量,虚函数,内存对齐会影响类内存大小.本文优先考虑32位程序内存布局:class A
{
​	virtual void Func(){};
​	int m_X;
​	short m_Y;
}
A:{
​	0-4 :虚函数表
​	4-8: m_X 成员变量
​	8-12: m_Y 成员变量 (内存对齐)
}
sizeof(A)&#x3D;&#x3D;12字节
第一位:虚函数:如果类里面有虚函数,类前4个字节是个虚函数表的指针.(64位是前8字节),如果你的类如果继承
第二位:非静态成员变量.
2.当继承多个有虚函数的类会有多个虚表

1.例子中A和C中都要虚函数,B继承了A和B,B的内存中就有两个虚函数表;即使声明称成员类也是如此,不过不一定是在前面,跟你申明位置有关系.
3.在C++中类的地址减去一个指针的大小取值在加上12字节就是std::type_infor对象地址指针.
不过在64位下放的就不是指针而是一个偏移至于是怎么运算的网上也没有找到,我猜测是通过逻辑运算,下面有猜测伪代码.
我目前测试环境是vs2022下,别的编译器就不清楚了.

123 ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/15/decltpye%E8%AE%B2%E8%A7%A3/" title="decltpye:讲解">decltpye:讲解</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-14T16:03:52.000Z" title="发表于 2023-08-15 00:03:52">2023-08-15</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/Effective-Modern-C/">Effective Modern C++</a></span></div><div class="content">decltpye:讲解1.decltype()里面直接填写变量名会直接使用变量类型不会发生退化情况.
2.decltype()里面放入表达式会根据表达式的返回类型进行返回.如果返回是个左值就会返回其类型的引用,如果是右值会直接返回其类型而不是引用(返回类型不是左值就是右值).
3.decltype不会计算填写的表达式,也就不会修改填写的内容数据.
decltype使用场景:在使用函数模板时在某些情况是没法获取集体返回类型可以通过次关键字进行推导.
C++11:放到函数声明尾部     auto fun()-&gt;decltype(表达式){ };
C++14:直接可以放在头部	decltype(表达式) fun(){ };
</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%2010-1/" title="恶意代码实战分析10.1">恶意代码实战分析10.1</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 10-1本实验包括一个驱动程序和一个可执行文件。你可以从任意位置运行可执行文件，但为了使程序能够正常运行，必须将驱动程序放到C:\WindowslSystem32目录下，这个目录在受害者计算机中已经存在。可执行文件是Lab10-1.exe，驱动程序是Lab10-01.syso.问题1.这个程序是否直接修改了注册表（使用procmon来检查）?
1.Lab10-1.exe修改注册表:HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed.
2.驱动也修改了注册表不过procmon捕获不到R0的函数.
2．用户态的程序调用了ControlService函数，你是否能够使用WinDbg 设置一个断点，以此来观察由于ControlService的调用导致内核执行了怎样的操作?
通过OD在函数ControlService下断点使其中断,然后利用Windbg调试虚拟机,利用命令
1!drvobj Lab10-01

,显示Lab10-01进程相关的驱动对象,输入命令
1dt _DRIVER_OBJECT 8202a470

,当我们分析得知Control ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%201-2/" title="恶意代码实战分析1.2">恶意代码实战分析1.2</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab1-2问题1．将Lab01-02.exe文件上传至 http:&#x2F;www.VirusTotal.com/进行分析并查看报告。文件匹配到了已有的反病毒软件特征吗?
1.优先于我现在学习的时候，书已经出版很久了，实验文件已经被杀毒软件标记为病毒了。
2．是否有这个文件被加壳或混淆的任何迹象?如果是这样，这些迹象是什么?如果该文件被加壳，请进行脱壳，如果可能的话。
1.查壳工具查出使用了UPX壳,外加PE段目录表发现3个 UPX段,更加确定使用了UPX壳.
2.从UPX github上Releases · upx&#x2F;upx (github.com) 上下载下来  使用命令 upx.exe -d 文件路径(自动脱壳,脱完的文件会覆盖原文件)
3．有没有任何导入函数能够暗示出这个程序的功能?如果是，是哪些导入函数，它们会告诉你什么?
1.使用了动态加载dll 获取函数地址的方式，所以有些函数是没有出现在导入表的。

2.导入了CreateServiceA函数会创建服务。需要留意。

3.调用了internetOpenA 函数 （初始化应用程序对 WinINet 函数的使用） ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%2010-3/" title="恶意代码实战分析10.3">恶意代码实战分析10.3</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 10-3本实验包括一个驱动程序和一个可执行文件。你可以从任意位置运行可执行文件，但为了程序能够正常运行，必须将驱动程序放到C:\WindowslSystem32目录下，这个目录在受害者计算机中已经存在。可执行文件是Lab10-3.exe，驱动程序是Lab10-03.sys.问题1．这个程序做了些什么?1.Lab10-3.exe将”C:\Windows\System32\Lab10-03.sys”驱动通过SCM服务运行起来.
2.通过CreateFile打开名为”\\.\ProcHelper“设备,通过DeviceIoControl与驱动进行通讯.
3.驱动注册了设备路径”\Device\ProcHelper“,链接用于3环通讯的设备名’\DosDevices\ProcHelper‘.
4.通过绑定驱动回调   _DRIVER_OBJECT.MajorFunction[IRP_MJ_DEVICE_CONTROL]  IRP_MJ_DEVICE_CONTROL&#x3D;0xe;用于与R3函数DeviceIoControl通讯.
5.绑定索引0xe的函数中获取了当前进程的结构体(E ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%2011-1/" title="恶意代码实战分析11.1">恶意代码实战分析11.1</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 11-1分析恶意代码Lab11-01.exe。问题1．这个恶意代码向磁盘释放了什么?在exe名为”TGAD”资源节中提取数据并在当前目录下生成了名为”msgina32.dll”的dll文件.
2．这个恶意代码如何进行驻留?1.通过给注册表’SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon’增加值’GinaDLL’并向值写入释放文件的路径.这样就可以启动winlogon时加载释放的dll.
3．这个恶意代码如何窃取用户登录凭证?1.通过dll劫持导出了个修改过的WlxLoggedOutSAS函数.
4．这个恶意代码对窃取的证书做了什么处理?在WinLogon.exe目录下创建了名为”msutil32.sys”的文件,里面记录了打印信息”日期 时间 - UN WLX_MPR_NOTIFY_INFO-&gt;pszUserName DM WLX_MPR_NOTIFY_INFO-&gt;pszDomain PW WLX_MPR_NOTIFY_INFO-&gt;pszPassword OLD WLX_MPR_NOTIFY_INFO ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%2011-2/" title="恶意代码实战分析11.2">恶意代码实战分析11.2</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 11-2分析恶意代码Lab11-02.dll。假设一个名为Lab11-O2.ini的可疑文件与这个恶意代码一同被发现。问题1．这个恶意DLL导出了什么?导出了一个安装函数:installer安装函数负责保持dll启动.
2．使用rundll32.exe安装这个恶意代码后，发生了什么?1.它往注册表’SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows‘下”AppInit_DLLs“值写入数据”spoolvxx32.dll“,不过我是在win10上测试的被拒绝访问了.
2.失败原因是因为没有用管理员权限.
3.试图打开**%SystemRoot%\system32目录下Lab11-02.ini**文件但是没有找到.
3.为了使这个恶意代码正确安装，Lab11-02.ini必须放置在何处?1.需要正常安装ini必须放在**%SystemRoot%\system32**目录下.
4．这个安装的恶意代码如何驻留?1.通过修改注册表’SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%2010-2/" title="恶意代码实战分析10.2">恶意代码实战分析10.2</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 10-2该实验的文件为Lab10-02.exe。问题1.这个程序创建文件了吗?它创建了什么文件?1.创建了文件”C:\Windows\System32\Mlwx486.sys”.
2.是一个驱动文件,文件放在了资源表,资源序号0x65;
2.这个程序有内核组件吗?有一个sys驱动程序.
3.这个程序做了些什么?1.lab10-02.exe把放在资源表里的sys文件释放到”C:\Windows\System32\“下,文件名为Mlwx486.sys.然后通过SCM加载驱动.
2.驱动在入口函数通过MmGetSystemRoutineAddress函数获取了KeServiceDescriptorTable导出地址和NtQueryDirectoryFile导出函数地址.
3.通过遍历SSDT表找到相对应的表项,然后替换成事先准备好的函数进行hook.
4.在事先准备的函数照常调用了原有函数通过函数返回数据中比较文件名是不是为’Mlwx’,如果是的话就把当前单项链表摘掉:上一个链表直接通过加偏移指向当前的下一个结构体.   A-&gt;B-&gt;C  —–&gt; A-&gt;C
5 ...</div></div></div><nav id="pagination"><div class="pagination"><span class="page-number current">1</span><a class="page-number" href="/blogs/page/2/#content-inner">2</a><a class="page-number" href="/blogs/page/3/#content-inner">3</a><a class="extend next" rel="next" href="/blogs/page/2/#content-inner"><i class="fas fa-chevron-right fa-fw"></i></a></div></nav></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="is-center"><div class="avatar-img"><img src="/blogs/img/headpicture.png" onerror="this.onerror=null;this.src='/blogs/img/friend_404.gif'" alt="avatar"/></div><div class="author-info__name">小乾</div><div class="author-info__description"></div></div><div class="card-info-data site-data is-center"><a href="/blogs/archives/"><div class="headline">文章</div><div class="length-num">27</div></a><a href="/blogs/tags/"><div class="headline">标签</div><div class="length-num">0</div></a><a href="/blogs/categories/"><div class="headline">分类</div><div class="length-num">3</div></a></div><a id="card-info-btn" target="_blank" rel="noopener" href="https://gitee.com/xiaoqian2000"><i class="fab fa-github"></i><span>Follow Me</span></a></div><div class="card-widget card-announcement"><div class="item-headline"><i class="fas fa-bullhorn fa-shake"></i><span>公告</span></div><div class="announcement_content">欢迎学习和讨论</div></div><div class="sticky_layout"><div class="card-widget card-recent-post"><div class="item-headline"><i class="fas fa-history"></i><span>最新文章</span></div><div class="aside-list"><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/blogs/2023/08/20/Window10%20SwapContext%E5%88%86%E6%9E%90/" title="Win10 X64 1904 线程交换SwapContext分析">Win10 X64 1904 线程交换SwapContext分析</a><time datetime="2023-08-20T13:21:52.000Z" title="发表于 2023-08-20 21:21:52">2023-08-20</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/blogs/2023/08/20/win10%20%E7%B3%BB%E7%BB%9F%E8%B0%83%E7%94%A8/" title="Win10 X64 1904 系统调用">Win10 X64 1904 系统调用</a><time datetime="2023-08-20T13:21:52.000Z" title="发表于 2023-08-20 21:21:52">2023-08-20</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/blogs/2023/08/20/C++%E7%B1%BB%E7%9A%84%E5%86%85%E5%AD%98%E5%88%86%E5%B8%83/" title="C++类的内存分布">C++类的内存分布</a><time datetime="2023-08-20T11:51:52.000Z" title="发表于 2023-08-20 19:51:52">2023-08-20</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/blogs/2023/08/15/decltpye%E8%AE%B2%E8%A7%A3/" title="decltpye:讲解">decltpye:讲解</a><time datetime="2023-08-14T16:03:52.000Z" title="发表于 2023-08-15 00:03:52">2023-08-15</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%2010-1/" title="恶意代码实战分析10.1">恶意代码实战分析10.1</a><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></div></div></div></div><div class="card-widget card-categories"><div class="item-headline">
            <i class="fas fa-folder-open"></i>
            <span>分类</span>
            
            </div>
            <ul class="card-category-list" id="aside-cat-list">
            <li class="card-category-list-item "><a class="card-category-list-link" href="/blogs/categories/Effective-Modern-C/"><span class="card-category-list-name">Effective Modern C++</span><span class="card-category-list-count">2</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/blogs/categories/windows%E5%86%85%E6%A0%B8%E7%9F%A5%E8%AF%86/"><span class="card-category-list-name">windows内核知识</span><span class="card-category-list-count">2</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/"><span class="card-category-list-name">恶意代码实战分析</span><span class="card-category-list-count">23</span></a></li>
            </ul></div><div class="card-widget card-archives"><div class="item-headline"><i class="fas fa-archive"></i><span>归档</span></div><ul class="card-archive-list"><li class="card-archive-list-item"><a class="card-archive-list-link" href="/blogs/archives/2023/08/"><span class="card-archive-list-date">八月 2023</span><span class="card-archive-list-count">27</span></a></li></ul></div><div class="card-widget card-webinfo"><div class="item-headline"><i class="fas fa-chart-line"></i><span>网站资讯</span></div><div class="webinfo"><div class="webinfo-item"><div class="item-name">文章数目 :</div><div class="item-count">27</div></div><div class="webinfo-item"><div class="item-name">本站访客数 :</div><div class="item-count" id="busuanzi_value_site_uv"><i class="fa-solid fa-spinner fa-spin"></i></div></div><div class="webinfo-item"><div class="item-name">本站总访问量 :</div><div class="item-count" id="busuanzi_value_site_pv"><i class="fa-solid fa-spinner fa-spin"></i></div></div><div class="webinfo-item"><div class="item-name">最后更新时间 :</div><div class="item-count" id="last-push-date" data-lastPushDate="2023-09-19T10:27:22.405Z"><i class="fa-solid fa-spinner fa-spin"></i></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">&copy;2020 - 2023 By 小乾</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button id="go-up" type="button" title="回到顶部"><span class="scroll-percent"></span><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/blogs/js/utils.js"></script><script src="/blogs/js/main.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox/fancybox.umd.min.js"></script><div class="js-pjax"></div><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></body></html>